You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@metron.apache.org by "Otto Fowler (JIRA)" <ji...@apache.org> on 2016/11/02 11:51:58 UTC

[jira] [Assigned] (METRON-425) Stellar transformation fails to handle special characters

     [ https://issues.apache.org/jira/browse/METRON-425?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Otto Fowler reassigned METRON-425:
----------------------------------

    Assignee: Otto Fowler  (was: Justin Leet)

> Stellar transformation fails to handle special characters
> ---------------------------------------------------------
>
>                 Key: METRON-425
>                 URL: https://issues.apache.org/jira/browse/METRON-425
>             Project: Metron
>          Issue Type: Bug
>            Reporter: Neha Sinha
>            Assignee: Otto Fowler
>
> I updated the snort parser file to have the following stellar transformation :-
> PARSER Config: snort
> {
>   "parserClassName":"org.apache.metron.parsers.snort.BasicSnortParser",
>   "sensorTopic":"snort",
>   "parserConfig": {},
> "fieldTransformations" : [
> {
> "transformation" : "STELLAR"
> ,"output" : [ "is_alert","newStellarField","isAlert"]
> ,"config" :
> { "is_alert" : "false",
> "isAlert" : "false",
> "newStellarField" : "<<??>>" }
> }
> ]
> }
> I get the following exception/error for the snort logs :-
> 2016-09-13 11:30:32.765 o.a.m.p.BasicParser [TRACE] [Metron] Message conforms to schema: {"msg":"\"'snort test alert'\"","sig_rev":"0","ip_dst_port":"80","ethsrc":"00:00:00:00:00:00","tcpseq":"0x5869E532","dgmlen":"40","icmpid":"","tcplen":"","tcpwindow":"0xFA02","icmpseq":"","tcpack":"0x3E05E218","protocol":"TCP","ip_dst_addr":"72.34.49.86","original_string":"09\/13-11:30:25.703857 ,1,999158,0,\"'snort test alert'\",TCP,192.168.138.158,49204,72.34.49.86,80,00:00:00:00:00:00,00:00:00:00:00:00,0x3C,***A****,0x5869E532,0x3E05E218,,0xFA02,128,0,2508,40,40960,,,,","icmpcode":"","tos":"0","id":"2508","ip_src_addr":"192.168.138.158","timestamp":1473766928857,"ethdst":"00:00:00:00:00:00","is_alert":"true","ttl":"128","ethlen":"0x3C","iplen":"40960","icmptype":"","ip_src_port":"49204","tcpflags":"***A****","sig_id":"999158","sig_generator":"1"}
> 2016-09-13 11:30:32.766 b.s.d.executor [ERROR] 
> org.apache.metron.common.dsl.ParseException: Syntax error @ 1:0 no viable alternative at input '<'
> 	at org.apache.metron.common.dsl.ErrorListener.syntaxError(ErrorListener.java:34) ~[stormjar.jar:?]
> 	at org.antlr.v4.runtime.ProxyErrorListener.syntaxError(ProxyErrorListener.java:65) ~[stormjar.jar:?]
> 	at org.antlr.v4.runtime.Parser.notifyErrorListeners(Parser.java:558) ~[stormjar.jar:?]
> 	at org.antlr.v4.runtime.DefaultErrorStrategy.reportNoViableAlternative(DefaultErrorStrategy.java:310) ~[stormjar.jar:?]
> 	at org.antlr.v4.runtime.DefaultErrorStrategy.reportError(DefaultErrorStrategy.java:147) ~[stormjar.jar:?]
> 	at org.apache.metron.common.stellar.generated.StellarParser.transformation_expr(StellarParser.java:300) ~[stormjar.jar:?]
> 	at org.apache.metron.common.stellar.generated.StellarParser.transformation(StellarParser.java:146) ~[stormjar.jar:?]
> 	at org.apache.metron.common.stellar.BaseStellarProcessor.parse(BaseStellarProcessor.java:92) ~[stormjar.jar:?]
> 	at org.apache.metron.common.field.transformation.StellarTransformation.map(StellarTransformation.java:46) ~[stormjar.jar:?]
> 	at org.apache.metron.common.configuration.FieldTransformer.transform(FieldTransformer.java:111) ~[stormjar.jar:?]
> 	at org.apache.metron.common.configuration.FieldTransformer.transformAndUpdate(FieldTransformer.java:123) ~[stormjar.jar:?]
> 	at org.apache.metron.parsers.bolt.ParserBolt.execute(ParserBolt.java:125) [stormjar.jar:?]
> 	at backtype.storm.daemon.executor$fn__5492$tuple_action_fn__5494.invoke(executor.clj:684) [storm-core-0.10.0.2.4.2.0-258.jar:0.10.0.2.4.2.0-258]
> 	at backtype.storm.daemon.executor$mk_task_receiver$fn__5415.invoke(executor.clj:431) [storm-core-0.10.0.2.4.2.0-258.jar:0.10.0.2.4.2.0-258]
> 	at backtype.storm.disruptor$clojure_handler$reify__4991.onEvent(disruptor.clj:58) [storm-core-0.10.0.2.4.2.0-258.jar:0.10.0.2.4.2.0-258]
> 	at backtype.storm.utils.DisruptorQueue.consumeBatchToCursor(DisruptorQueue.java:125) [storm-core-0.10.0.2.4.2.0-258.jar:0.10.0.2.4.2.0-258]
> 	at backtype.storm.utils.DisruptorQueue.consumeBatchWhenAvailable(DisruptorQueue.java:99) [storm-core-0.10.0.2.4.2.0-258.jar:0.10.0.2.4.2.0-258]
> 	at backtype.storm.disruptor$consume_batch_when_available.invoke(disruptor.clj:80) [storm-core-0.10.0.2.4.2.0-258.jar:0.10.0.2.4.2.0-258]
> 	at backtype.storm.daemon.executor$fn__5492$fn__5505$fn__5556.invoke(executor.clj:813) [storm-core-0.10.0.2.4.2.0-258.jar:0.10.0.2.4.2.0-258]
> 	at backtype.storm.util$async_loop$fn__644.invoke(util.clj:479) [storm-core-0.10.0.2.4.2.0-258.jar:0.10.0.2.4.2.0-258]
> 	at clojure.lang.AFn.run(AFn.java:22) [clojure-1.6.0.jar:?]
> 	at java.lang.Thread.run(Thread.java:745) [?:1.8.0_60]
> Caused by: org.antlr.v4.runtime.NoViableAltException
> 	at org.antlr.v4.runtime.atn.ParserATNSimulator.noViableAlt(ParserATNSimulator.java:1894) ~[stormjar.jar:?]
> 	at org.antlr.v4.runtime.atn.ParserATNSimulator.execATN(ParserATNSimulator.java:498) ~[stormjar.jar:?]
> 	at org.antlr.v4.runtime.atn.ParserATNSimulator.adaptivePredict(ParserATNSimulator.java:424) ~[stormjar.jar:?]
> 	at org.apache.metron.common.stellar.generated.StellarParser.transformation_expr(StellarParser.java:251) ~[stormjar.jar:?]
> 	... 16 more



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)